Perhaps one of the more challenging aspects of FireWall-1 is licensing the product. Even those who have been selling and supporting FireWall-1 for a number of years tend to get tripped up by Check Point’s licensing from time to time. This article, derived from Essential Check Point Firewall-1: An Installation, Configuration, and Troubleshooting Guide (Addison-Wesley, 2001 ISBN: 0201699508), sets you straight on licensing requirements.

A firewall module enforces your security policy and sends log information to
a management console. This is typically referred to as the firewall. The
management console is responsible for storing, compiling, and pushing the
security policies out to the firewall modules. It also receives logging
information from the firewall modules, and processes alerts. The Management GUI
applications allow you to view, edit, and install security policies, view logs,
and see the status of all installed firewall modules. The Management GUIs
communicate to the management console, which does all of the actual work.

With some exceptions, which I will note in the following sections, each of
these components may exist on separate systems. You can even mix and match the
platforms on which each of these components exist. For example, you can have the
firewall on a Nokia platform, the management console on Solaris, and the
Management GUIs on Windows.

Note that in a High-Availability configuration, all firewalls must be on the
same platform. The same is true for High-Availability management consoles in
FireWall-1 NG.

Node-Limited Firewall Licenses

Node-limited firewall licenses are restricted in terms of the number of IP
addresses that can be behind the firewall. FireWall-1 listens for any IP-based
traffic on all interfaces except for ones deemed external. How you tell
FireWall-1 which interface(s) are external depends on the version. In FireWall-1
4.1 and earlier, which is restricted to a single physical interface, the
physical interface name is listed in the file $FWDIR/conf/external.if on the
firewall module. In FireWall-1 NG and later, this information is defined on the
management console in the firewall workstation object, topology tab. Multiple
interfaces can be defined as external here. However, a node-limited license does
not allow you to route traffic to these interfaces.

Any time FireWall-1 hears hosts talking to each other with an address on a
non-external interface, it notes the IP addresses. After FireWall-1 has heard
n IPs (plus a 10-percent fudge factor), connections from the n+1
hosts generate e-mails to root and messages to syslog or the event viewer.
When the license is exceeded by a large number of hosts on a busy network,
FireWall-1 consumes itself with logging and mailing out messages about exceeding
your license. In many cases, this causes the firewall to process traffic very
slowly, if at all.

So what are the implications of how FireWall-1 enforces a node-limited
license? Anything behind your firewall with an IP address will eventually
be found out. This includes non-computer components such as printers, coffee
makers, and so on. Anything with an IP address that talks on your LAN will be
heard eventually. Also, machines with multiple IP addresses will most likely be
counted more than once. Peripherals that do not use TCP/IP should not be
counted. Machines that only use AppleTalk, IPX, NetBEUI, and so on should also
not be counted. Because FireWall-1 only looks for IP traffic, it should safely
ignore these machines.

There are plenty of ways to deliberately mislead or fool the license. For
example, machines can be hidden behind a choke router, a switch, a proxy server,
or another FireWall-1 box. However, Section 2.5 of the January 2000 End User
License Agreement for Check Point FireWall-1 clearly states that this is not
permitted:

The Product is licensed to You based on the applicable Licensed
Configuration purchased. The License permits the use of the Product in
accordance with the designated number of IP addresses. It is a violation of
this End User License Agreement to create, set-up, or design any hardware,
software, or system which alters the number of readable IP addresses presented
to the Product with the intent, or resulting effect, of circumventing the
Licensed Configuration.

In any case, these sorts of licenses are only
appropriate for use where you can guarantee the number of hosts behind a single
gateway. More importantly, in FireWall-1 4.1 and earlier, these licenses should
only be used where an external network can only be reached through a single
interface. If it can be reached through more than one interface or you have no
way to control the number of hosts behind the firewall, this type of license
should not be used.